[Snort-sigs] Call for Spyware
matt at ...2436...
Wed Aug 18 08:49:29 EDT 2004
At the bleedingsnort.com project we've been a bit obsessed with spyware.
The sigs we have up have been doing a great job of helping us identify
and get cleaned hundreds of infected pc's. And we're hearing similar
success from many others.
We don't want to let those rules stagnate though. The spyware is always
changing, and I'm sure the distributors of spyware have seen our efforts
and are making changes to adjust and not be seen by existing rules. Many
of the rules are very easy to circumvent by changing a url or script name.
So this is a call for spyware. If you have details, infected systems,
and/or preferably pcap's of new and/or undetected spyware please send it
in. You can send to me direct or to bleeding at ...2737... (Please
avoid sending those to this list, that's a bit off-topic)
It's been absolutely shocking the audacity of these advertisers and
information collectors. Getting this dark little secret detected and out
in the open is very much to all our benefit.
In a rather funny related story, 180solutions (a spyware maker) is suing
a partner for using IE exploits to get their stuff installed. That's an
Please send in your traffic dumps and spyware signatures. We must keep
this up to date.
More information about the Snort-sigs